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1. PURPOSE . This Instruction, in accordance with the authorities in DoD Directive (DoDD) 

5134.01 (Reference (a)) and DoDD 5144.l02(Reference (b)): 

a. Establishes policy and assigns responsibilities to minimize the risk that DoD’s warfighting 
mission capability will be impaired due to vulnerabilities in system design or sabotage or 
subversion of a system’s mission critical functions or critical components, as defined in this 
Instruction, by foreign intelligence, terrorists, or other hostile elements. 

b. Implements the DoD’s TSN strategy, described in the Report on Trusted Defense Systems 
(Reference (c)) as the Strategy for Systems Assurance and Trustworthiness, through Program 
Protection and information assuranc e (lA) cybersecurLfyplemeniation to provide 
uncompromised weapons and information systems. The TSN strategy integrates robust systems 
engineering, supply chain risk management (SCRM), security, counterintelligence, intelligence, 
information assuranc e cybersecur, Hardware and software assurance, and information systems 
security engineering disciplines to manage risks to system integrity and trust. 

c. Incorporates and cancels Directive-Type Memorandum 09-016 (Reference (d)). 

d. Directs actions in accordance with the SCRM implementation strategy of National 
Security Presidential Directive 54/Homeland Security Presidential Directive 23 (Reference (e)), 
section 806 of Public Law 111-383 (Reference (f)) , DoD Instruction (DoDI) 5200.39 (Reference 
(g)), DoDD 5000.01 (Reference (hg)), DoDI 5000.02 (Reference (ih)), DoDD DoD/ 8500.04EOI 
(Reference (}/)), and-Committee on National Security Systems Directive (CNSSD) No. 505 

(Reference (k/)), and National Institute for Science and Technology Special Publication 800-16 
(Reference (k)) 


2. APPLICABILITY. This Instruction applies to: 
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a. OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff 
(CJCS) and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the 
Department of Defense, the Defense Agencies, the DoD Field Activities, and all other 
organizational entities within the DoD (hereinafter referred to collectively as the “DoD 
Components”). 

b. All DoD information systems and weapons systems that are or include systems described 
in subparagraphs 2.b.(l) through 2.b.(3) (hereinafter referred to collectively as “applicable 
systems”): 

(1) National security systems as defined by section 35 4 2 3552)f title 44, United States 
Code (U.S.C.) (Reference (1)). Although DoD's Non-classified Internet Protocol Router 
Network (NIPRNet) and its enclaves are considered national security systems in accordam 
CJCS Instruction 6211.02D (Reference (m)), they are exempted from this instruction due t 
need to prioritize use of limited TSN enterprise capabilities unless paragraph 2.b.(2) or 2.1 
applies 

(2) Mission Assuranc e Cat e gory (MAC) I syst e ms, as d e fin e d by R e f e r e nc e (j) A ny DoD 

system with a high impact level for any of the three security objectives (confidentiality, in 
and availability) in accordance with the system categorization procedures in DoDI 8510.0. 
(Reference (ph 

(3) Other DoD information systems that the DoD Component’s acquisition executive or 
chief information officer, or c/es/gnatejermines are critical to the direct fulfillment of military 

or intelligence missions, which may include some connections to or enclaves of NIPRNet and 
some industrial control systems.. 

c. All mission critical functions and critical components within applicable systems identified 
through a criticality analysis, including spare or re pi ace menWpatts purposes of this 
Instruction, only information and communications technology (ICT) components in applicable 
systems shall be considered for the processes described herein until this Applicability section is 
modified in accordance with Enclosure 2, paragraph l.f. 


3. DEFINITIONS . See Glossary. 


4. POLICY. It is DoD policy that: 

a. Mission critical functions and critical components within applicable systems shall be 
provided with assurance consistent with criticality of the system, and with their role within the 
system. 

b. All-source intelligence analysis of suppliers of critical components shall be used to inform 
risk management decisions. 
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c. Risk to the trust in applicable systems shall be managed throughout the entire system 
lifecycle. The application of risk management practices shall begin during the design of 
applicable systems and prior to the acquisition of critical components or their integration within 
applicable systems, whether acquired through a commodity purchase, system acquisition, or 
sustainment process. Risk management shall include TSN process, tools, and techniques to: 

(1) Reduce vulnerabilities in the system design through system security engineering. 

(2) Control the quality, configuration, software patch managesa&E^urity of 
software, firmware, hardware, and systems throughout their lifecycles, including components or 
subcomponents from secondary sources. Employ protections that manage risk in the supply 
chain for components or subcomponent products and services (e.g., integrated circuits, field- 
programmable gate arrays (FPGA), printed circuit boards) when they are identifiable (to the 
supplier) as having a DoD end-use. 

(3) Detect the occurrence of, reduce the likelihood of, and mitigate the consequences of 
unknowingly using products containing counterfeit components or malicious functions in 
accordance with DoDI 4140.67 (Reference (o)). 

(4) Detect vulnerabilities within custom and commodity hardware and software through 
rigorous test and evaluation capabilities, including developmental, acceptance, and operational 
testing. 


(5) Implement tailored acquisition strategies, contract tools, and procurement methods 
for critical components in applicable systems, to include covered procurement actions in 
accordance with Reference (f). 

(6) Implement item unique identification (lUID) for national level traceability of critical 
components in accordance with DoDI 8320.04 (Reference (mp)). 

d. The identification of mission critical functions and critical components as well as TSN 
planning and implementation activities, including risk acceptance as appropriate, shall be 
documented in the Program Protection Plan (PPP) ( R e ferenc e (n)) in accordance with Reference 
(h)and in relevant lA-cybersecuri^ns and documentation in accordance with Reference (&/). 

e. In applicable systems, integrated circuit-related products and services shall be procured 
from a trusted supplier using trusted processsslited by the Defense Microelectronics 
Activity (DMEA) when they are custom-designed, custom-manufactured, or tailored for a 
specific DoD military end use (generally referred to as application-specific integrated circuits 
(ASIC)). 


5. RESPONSIBILITIES. See Enclosure 2. 


6. RELEASABILITY. UNLIMITED. Cleared for public refTbiaiffitruction is approv e d 
for public r e l e as e and is available on the Internet from the DoD Issuances Website at 
http ://www. dtic.mil/whs/directives. 
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7. EFFECTIVE DATE. This Instruction:- 
is effective November 5, 2012. 

b. Must b e r e issu e d, canc e ll e d, or c e rtifi e d curr e nt within 5 y e ars of its publication in 
accordanc e with DoDI 5025.01 (R e f e r e nc e (p)). If not, it will e xpir e e ff e ctiv e Nov e mb e r 5, 2022 

and b e r e mov e d from th e DoD Issuanc e s W e bsit e . 


Teresa M. Takai 

DoD Chief Information Officer 


Enclosures 

1. References 

2. Responsibilities 
Glossary 



Frank Kendall 

Under Secretary of Defense 

for Acquisition, Technology, and Logistics 
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ENCLOSURE 1 

REEERENCES 


(a) DoD Directive 5134.01, “Under Secretary of Defense for Acquisition, Technology, and 
Logistics (USD(AT&L)),” December 9, 2005, as amended 

(b) DoD Directive 51 44 .1, “Assistant Secretary of D e f e ns e for Networks and Information 

Int e gration/DoD Chi e f Information Offic e r (ASD(NII)/DoD CIO),” May 2, 2005 DoD 
Directive 5144.02, "DoD Chief lnformatior(intfE)c€IO)," November 21, 2014 

(c) Report on Trusted Defense Systems in response to the National Defense Authorization Act 
for Fiscal Year 2009, December 22, 2009 ^ 

(d) Directive-Type Memorandum 09-016, “Supply Chain Risk Management (SCRM) to 
Improve the Integrity of Components Used in DoD Systems,” March 25, 2010 (hereby 
cancelled) 

(e) National Security Presidential Directive 54/Homeland Security Presidential Directive 23, 

“Cybersecurity Policy,” January 8, 2008 ^ 

(f) Section 806 of Public Law 111-383, “The National Defense Authorization Act for Fiscal 
Year 2011,” January 7, 2011 

(g) — DoD Instruction 5200.39, “Critical Program Information (CPI) Prot e ction Within the 

D e partm e nt of D e f e ns e ,” July 16, 2008 

(hg) DoD Directive 5000.01, “The Defense Acquisition System,” May 12, 2003 

(ih) DoD Instruction 5000.02, “Operation of the Defense Acquisition System,” D e c e mb e r 8, 

2Q<M-January 7, 2015 

(ji) BoD Dir e ctiv e 8500.OlE, “Information Assuranc e (lA),” Octob e r 2 4 , 2002 DoD 
Instruction 8500.01, "Cybersecurity," March 14, 2014 
(ky) Committee on National Security Systems Directive No. 505, “Supply Chain Risk 
Management (SCRM),” March 7, 2012^ 

(k) National Institute for Science and Technology Special Publication 800-161, "Supply Ci 
Risk Management Practices for Federal Information Systems and Organizations," 
April 2015 

(l) Section 35 4 2 3 55.?title 44, United States Code 

(m) Chairman of the Joint Chiefs of Staff Instruction 6211.02D, "Defense Information Syst 
Network (DISN) Responsibilities,"January 24, 2012 

(n) DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD Information 
Technology (IT)," March 12, 2014 

(o) DoD Instruction 4140.67, "DoD Counterfeit Prevention Policy," April 26, 2013 

(mp) DoD Instruction 8320.04, “Item Unique Identification (lUID) Standards for Tangible 

Personal Property,” Jun e 16, 2008 September 3, 2015 
(ft)— Office of the Und e r S e cr e tary of D e f e ns e for Acquisition, T e chnology, and Logistics, 

“Program Prot e ction Plan Outlin e and Guidanc e ,” July 18, 2011 ^ 

(ft)— DoD Instruction 8500.2, “Information Assuranc e (lA) Impl e m e ntation,” February 6, 2003 

(p) — DoD Instruction 5025.01, “DoD Dir e ctiv e s Program,” S e pt e mb e r 26, 2012 

^Available to authorized users by request from the Office of the USD(AT&L). 

2 

Available to authorized users by request from the National Security Council. 

^ Available to authorized users by request from the Committee on National Security Systems. 

"^ Availabl e at www.acq.osd.mil/s e /docs/PPP - Outlin e- and - Guidanc e- vl - July2011.docx 
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(q) Defense Federal Acquisition Regulation Supplement, current edition"^ 

(r) Defense Acquisition Guidebook, current edition ^ 

(s) Section 937 of Public Law 113-66, "The National Defense Authorization Act for Fiscal 
Year 2014," December 26, 2013 

(t) Policy Memorandum 15-001 - Joint Federated Assurance Center (JFAC) Charter, 
February 9, 26l5 

(su) DoD Instruction 0-5240.24, “Counterintelligence (Cl) Activities Supporting Research, 

Development, and Acquisition (RDA),” June 8, 2011, as amended 

(tv) Supply Chain Risk Management (SCRM) Program Office, Trusted Mission Systems and 
Networks Directorate, “Key Practices and Implementation Guide for the DoD 
Comprehensive National Cybersecurity Initiative 11 - Supply Chain Risk Management 
Pilot Program,” February 25, 2010^ 

(ui/i/) Section 11101 of title 40, United States Code 

(va) Committee on National Security Systems Instruction No. 4009, “Committee National 
Security Systems ('C MS'&jriation Assurance (lA) Glossary,” April 26, 2010 April 6, 

2015 

(wy) DoD 5240.1-R, “Procedures Governing the Activities of DoD Intelligence Components 
That Affect United States Persons,” December 1, 1982 


^ Available at http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html 
^ Available at httpiZ/akss-c/agdau-mil 

^Available at http://www.acq .OSildm^/fFAC -ChaTteT-Signed-9Feh2015.pdf 
’’ Available to authorized U5ce Aatps://diacap.iaportal.navy.mil/ks/pag e s/SCRM.aspx 
h ttps://rm fks. osd.mil/rm f/Guidance/R MFRela tedTopics/Pages/SCRM. aspx 

® Available at www.cnss.gov/Ass e ts/pdf/cnssi_ 4 009.pdf https://www.cns5.gov/CN55/i5Suances/lnstructions.cfm 
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ENCLOSURE 2 
RESPONSIBILITIES 


1. UNDER SECRETARY OE DEEENSE FOR AQUISITION.TECHNOLOGY. AND 

LOGISTICS rUSDIAT&LL The USD(AT&L), in accordance with Reference (a), shall: 

a. In coordination with the DoD Chief Information Officer (CIO), oversee the 
implementation of this Instruction and issue supporting guidance as necessary. 

b. Coordinate with the DoD CIO and the Heads of the DoD Components to develop TSN 
requirements, best practices, and mitigations. Develop guidance for identification and protection 
of mission critical functions and critical components, develop programming recommendations 
for TSN, align DoD TSN enterprise resources (e.g., test and evaluation, training), and develop 
TSN training for appropriate DoD Components and contractor personnel. 

c. In coordination with the DoD CIO and the Director, National Security Agency/Chief, 
Central Security Service (DIRNSA/CHCSS), advance the state of the art in assurance tools, 
techniques, and methods for creating and identifying non-cryptologic software and hardware that 
is free from exploitable vulnerabilities and malicious intent. 

d. In coordination with the DoD CIO and the Heads of the DoD Components, integrate the 
identification and protection of mission critical functions and critical components into system 
engineering, acquisition, logistics, and materiel readiness policies to ensure implementation of 
TSN concepts in technology demonstration or other research projects, defense acquisition 
programs, commodity purchases, operations and maintenance activities, and end-of-life disposal 
procedures. 

e. In coordination with the DoD CIO, incorporate TSN concepts and the authorities in 
Reference (f) into the Defense Federal Acquisition Regulation Supplement (Reference (q)). 
Defense Acquisition Guidebook (Reference (r)), and solicitation and contract language. 

f. In coordination with the DoD CIO, the Under Secretary of Defense for Intelligence 
(USD(I)), and the Heads of the DoD Components, evaluate the feasibility and usefulness of 
applying the processes that are described for critical ICT components for applicable systems in 
accordance with this Instruction to non-ICT components that are critical to DoD weapons and 
information systems and issue policy as appropriate. In the event that demand for threat 
assessments exceeds resources, establish, in coordination with the DoD CIO, the USD(I), and the 
Heads of the DoD Components, the prioritization for threat assessment support. 

g. In coordination with the DoD CIO, the Director, Defense Intelligence Agency (DIA), and 
the Heads of the DoD Components, develop a strategy for managing risk in the supply chain for 
integrated circuit-related products and services (e.g., FPGAs, printed circuit boards) that are 
identifiable to the supplier as specifically created or modified for DoD (e.g., military temperature 
range, radiation hardened). 
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h. In coordination with DoD CIO and participating DoD Components, develop, maintair 
and offer software and hardware assurance capabilities across the DoD Components as 
required by Section 937 of Public Law 113-66 (Reference (s)) and Policy Memorandum 15- 
Joint Federated Assurance Center (JFAC) Charter (Reference (t)). 


2. DIRECTOR. DMEA . The Director, DMEA, under the authority, direction, and control of 
USD(AT&L), shall, in coordination with DoD CIO and the Heads of the DoD Components, 
perform the accreditations of trusted suppliers, review those accreditations on an annual basis, 
issue follow-on guidance for the use of trusted suppliers, and establish criteria for accrediting 
trusted suppliers of integrated circuit-related products and services. 


3. DoD CIO . The DoD CIO shall: 

a. Coordinate with the USD(AT&L) and the Heads of the DoD Components as a subject 
matter expert on SCRM activities within TSN, implementation of TSN across the DoD, and 
development of TSN training, requirements, best practices, and mitigations. 

b. Integrate TSN concepts into lA-securityontiols and other policies and processes (e.g.. 
Reference (/^appropriate. 

c. Issue guidance (e.g., information system security engineering guidance) and develop 
programming recommendations to ensure the integration of TSN concepts and processes into the 
acquisition and maintenance of DoD information systems, enclaves, and services, including the 
purchase and integration of ICT commodities. 


4. USD(I) . The USD(I) shall: 

a. Guide collection of foreign intelligence and direct all-source analysis of supply chain risk. 

b. Integrate TSN concepts into USD(I)-managed policies and processes, as appropriate. 

c. In coordination with the DIRNSA/CHCSS, develop processes and procedures for 
responding to suspected or actual supply chain exploits identified by the Heads of the DoD 
Components, such as vulnerability assessments, best practices, and educational materials. 

d. Provide oversight for counterintelligence, defense intelligence, and security support 
protect critical mission functions and components. 

5. DIRNSA/CHCSS . The DIRNSA/CHCSS, under the authority, direction, and control of the 
USD(I) and in addition to the responsibilities in section 8 of this enclosure, shall: 
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a. Support the development and application of TSN requirements, best practices, and 
processes. In the event that demand for support exceeds resources, establish, in coordination 
with the DoD CIO, the USD(I), and the Heads of the DoD Components, prioritization for support 
to achieve TSN. 

b. Advise and guide the Heads of the DoD Components in the application of processes, 
tools, techniques and methods to minimize vulnerabilities and risk of malicious intent in 
procured and developed software and hardware for applicable systems. 

c. In coordination with selected software assurance testing centers, define processes, tools, 
techniques and standards to effectively test newly developed and acquired DoD software and 
hardware for applicable systems. 

d. Assess software analysis tools and practices and disseminate guidance on software and 
hardware vulnerability reduction and malicious intent identification to enable acquisition 
programs to manage risk effectively. 


6. DIRECTOR. DIA . The Director, DIA, under the authority, direction, and control of the 
USD(I), and in addition to the responsibilities in section 8 of this enclosure, shall produce an 
intelligence and counterintelligence assessment of supplier threats to acquisition programs 
providing critical weapons, information systems, or service capabilities in accordance with DoDI 
0-5240.24 (Reference (sU)). In the event that demand for support exceeds resources, establish, 
in coordination with USD(AT&L), DoD CIO, and the Heads of the DoD Components, 
prioritization for support to conduct threat analysis of suppliers of critical components. 


7. UNDER SECRETARY OF DEFENSE FOR POLICY (USDIPH. The USD(P) shall, in 
coordination with the USD(I), establish security policy for foreign national participation in 
system integration activities. 


8. HEADS OF THE DoD COMPONENTS . The Heads of the DoD Components shall: 

a. Designate a TSN focal point or focal points, with access to all DoD Components research, 
development, and-acquisition, and sU5tainm ^!S>A) activities for applicable systems, in order 
to: 


(1) Coordinate and prioritize requests for threat analysis of suppliers of critical 
components in accordance with Reference (&tv). 

(2) Coordinate and prioritize requestsstoif DoD Components and Enterprise TSN 
resources, including TSN subject matter experts, and tools, including hardware and software 
assurance capabilities in accordance with References (s) and (t) 


Change 1, 08/25/2016 


9 


ENCLOSURE 2 








DoDI 5200.44, Novembers, 2012 


(3) Coordinate with the DoD CIO and USD(AT&L) in the development of TSN 
requirements, best practices, and mitigations. 

(4) Assure the identification of mission critical functions and critical components as well 
as TSN planning and implementation activities are documented in the PPR 

b. Establish processes for managers of research, development, acquisition, and sustainment 
RDA activities for applicable systems to manage risk to the trust in the system by: 

(1) Conducting a criticality analysis to identify mission critical functions and critical 
components and reducing the vulnerability of such functions and components through secure 
system design. 

(2) Requesting threat analysis of suppliers of critical components from the pertinent TSN 
focal point and managing access to and control of threat analysis products containing U.S. person 
information, in accordance with Reference (stv). 

(3) Engaging the pertinent TSN focal point for guidance on managing identified risk 
using DoD Components and Enterprise risk management resources. 

(4) Applying TSN best practices, processes, techniques, and procurement tools prior to 
the acquisition of critical components or their integration into applicable systems, at any point in 
the system lifecycle. Such tools and practices include contract requirements developed in 
accordance with USD(AT&L) guidance provided pursuant to paragraph l.e of this enclosure, 

SCRM key practices (Reference and the authorities prescribed in Reference (f), as 
appropriate. 

(5) Documenting TSN plans and implementation activities in PPPs and relevant lA 
cybersecuri^ns and documentation in accordance with Reference (h) 

c. Assign DoD Components specialists to assist the Director, DIA, to conduct threat analysis 
of suppliers of critical components. 

d. Coordinate with the USD(AT&L) and the DoD CIO regarding TSN training of all 
appropriate DoD Components and contractor personnel commensurate with their assigned 
responsibilities. 

e. Notify the cognizant Milestone Decision Authority, D e signat e d Accr e diting Authority 
(BAA) Authorizing Offiqi&ld the DoD CIO of significant threats that cannot be reasonably 
addressed through technical mitigation, countermeasures, or risk management procedures. 

f. Notify the USD(I) and DIRNSA/CHCSS, of discovered or suspected supply chain exploits 
for the purposes of further analysis and the development of enterprise remediation, as 
appropriate. 
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g. Integrate Component-unique TSN concepts into DoD Components policies and processes, 
as appropriate. 

h. Ensure the Component Acquisition Executive or Chief Information Officer, or designee, 
designate DoD systems that are not national security systems or Mission Assuranc e Cat e gory I 
syst e ms a high impact ievel for confidentiality, integrity, or aasraflptoAlQe systems in 
accordance with subparagraph 2.b.(3) above the signaMtiMs Instruction. 

/. Provide software and hardware assurance capabilities and resources, and support th 
JFAC, as required by References (s) and (t). 


Change 1, 08/25/2016 


11 


ENCLOSURE 2 




DoDI 5200.44, Novembers, 2012 



GLOSSARY 

PART 1. ABBREVIATIONS AND ACRONYMS 

ASIC 

application-specific integrated circuits 

CJCS 

Chairman of the Joint Chiefs of Staff 

DIA 

DIRNSA/CHCSS 

DMEA 

DoD CIO 

DoDD 

DoDI 

Defense Intelligence Agency 

Director, National Security Agency/Chief, Central Security Service 
Defense Microelectronics Activity 

DoD Chief Information Officer 

DoD Directive 

DoD Instruction 

FPGA 

field-programmahle gate arrays 

lA 

ICT 

IT 

lUID 

information assurance 

information and communications technology 
information technology 
item unique identification 

JFAC 

Joint Federated Assurance Center 

MAG 

Mission Assurance Category 

NIPRNet 

Non-classified Internet Protocol Router Network 

PPP 

Program Protection Plan 

RDA 

research, development, and acquisition 

SCRM 

supply chain risk management 

TSN 

trusted systems and networks 

USD(AT&L) 

USD(I) 

USD(P) 

U.S.C. 

Under Secretary of Defense for Acquisition, Technology, and Logistics 
Under Secretary of Defense for Intelligence 

Under Secretary of Defense for Policy 

United States Code 

PART 11. DEFINITIONS 


Unless otherwise noted, these terms and their definitions are for the purposes of this Instruction. 
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critical component . A component which is or contains ICT, including hardware, software, and 
firmware, whether custom, commercial, or otherwise developed, and which delivers or protects 
mission critical functionality of a system or which, because of the system’s design, may 
introduce vulnerability to the mission critical functions of an applicable system. 

criticality analysis . An end-to-end functional decomposition performed by systems engineers to 
identify mission critical functions and components. Includes identification of system missions, 
decomposition into the functions to perform those missions, and traceability to the hardware, 
software, and firmware components that implement those functions. Criticality is assessed in 
terms of the impact of function or component failure on the ability of the component to complete 
the system missions(s). Criticality l e vels are defined in Refer e nce (n). 

cvbersecur itv. Defined in Reference (e). 

enclav e. Defined in Committee on National Security Systems Instruction No. 4009 (Refen 

(X)). 

ICT . Includes all categories of ubiquitous technology used for the gathering, storing, 
transmitting, retrieving, or processing of information (e.g., microelectronics, printed circuit 
boards, computing systems, software, signal processors, mobile telephony, satellite 
communications, and networks). ICT is not limited to information technology (IT), as defined in 
section 11101 of title 40, U.S.C. (Reference (u-i/i/j). Rather, this term reflects the convergence of 
IT and communications. 

industrial control sys tSsfined in Reference (x). 

information system . Defined in Committ e e on National S e curity Systems Instruction No. 4 009 
(Reference (vA)). 

information systems security engineering . Defined in Reference (v^). 

mission critical functions . Any function, the compromise of which would degrade the system 
effectiveness in achieving the core mission for which it was designed. 

national security sy stem. Defined in Reference (I). 

RDA. D e fin e d in R e f e r e nc e (r). 

SCRM . A systematic process for managing supply chain risk by identifying susceptibilities, 
vulnerabilities and threats throughout DoD’s “supply chain” and developing mitigation strategies 
to combat those threats whether presented by the supplier, the supplied product and its 
subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, 
transport, mission operation, and disposal). 

software assurance . The level of confidence that software functions as intended and is free of 
vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software 
throughout the lifecycle. 
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supply chain risk . The risk that an adversary may sabotage, maliciously introduce unwanted 
function, or otherwise subvert the design, integrity, manufacturing, production, distribution, 
installation, operation, or maintenance of a system so as to surveil, deny, disrupt, or otherwise 
degrade the function, use, or operation of such system. 

system security engineering . An element of system engineering that applies scientific and 
engineering principles to identify security vulnerabilities and minimize or contain risks 
associated with these vulnerabilities. 

U.S. person . Defined in DoD 5240.1-R (Reference (w-yO). 

weapon system . A combination of one or more weapons with all related equipment, materials, 
services, personnel, and means of delivery and deployment (if applicable) required for self- 
sufficiency. 
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